On 5/4/05, Nans Delrieu <delrieu dot nans at laposte dot net> wrote:
>
> Lots of captive portal use mac adress after authentification. Afeter
> auth, captive portal looks for mac adresses and let surf if the ùmac
> adress is good.
>
> For exemple, if someone (called A) want to connect to the local network,
> he gives his login and password.
> Then, the captive portal authorize this person if the login and the
> pasword is good. But after authentification , if a malintentioned person
> B take the MAC adress of the personn A, the captive portal let person B
> surf on the web ??? it's a big problem ? how to resove that ??
>
Ah yes, m0n0wall's captive portal does rely on MAC addresses. There
is no way to prevent spoofing a MAC to gain access to another person's
authenticated session after they are done using it. Instructing your
users to use the log out functionality will prevent this (I know
that's easier said than done though). Using the idle timeout and hard
timeout will also help prevent this, and minimize the window for
misuse.
-Chris